All IAM roles which need to read data encrypted with SSE-KMS must
have the permissions to decrypt using the specific key the data was
encrypted with:

kms:Decrypt

All IAM roles which need to both read and write data need
the encrypt and decrypt permissions (that is: encrypt-only permission is not
supported).

kms:Decrypt
kms:GenerateDatakey

If a role does not have the permissions to read data, it will fail with
an `java.nio.AccessDeniedException`. Note: renaming files requires
the permission to decrypt the data, as it is decrypted and then
reencrypted as it is copied.
See AWS KMS API Permissions: Actions and Resources Reference
for more details on KMS permissions.